W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Call for Consensus: Subresource Integrity to FPWD.

From: Adam Langley <agl@google.com>
Date: Tue, 11 Mar 2014 08:29:15 -0400
Message-ID: <CAL9PXLypchUyj7zBuiYTzpBeU+e3CuD9WkiyPLvnW056dgCTjw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Frederik Braun <fbraun@mozilla.com>, Joel Weinberger <jww@google.com>
On Tue, Mar 11, 2014 at 5:33 AM, Mike West <mkwst@google.com> wrote:
> The only open question in my head is whether we'd require _all_ of the
> supported integrity metadata sets to match, or just one.

If we are envisioning a hash function transition, then wouldn't we
wish to be able to add metadata for a future hash function that not
all clients support? Perhaps all "understood" metadata must match.

In order to keep the code simple I would suggest that only one
metadata set much match and that clients should choose the strongest
hash function. That way one can add other hash functions or modes in
the future without breaking backwards compat and clients can figure
out what they believe is the best function function to use when there
are several.


Cheers

AGL
Received on Tuesday, 11 March 2014 12:30:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC